ATT&CK¶

The ATT&CK tab of the Alarm Monitor page uses the MITRE ATT&CK framework to classify malicious Events. Alarms are reported in an Event timeline and sorted into separate lists by MITRE ATT&CK Tactics and Techniques.

Events that align with ATT&CK Tactics and Techniques will be in a category that represents the Tactic, Technique, and Sub-Technique. The ATT&CK view breaks those Plixer Scrutinizer categories down further into individual Techniques and provides a visual representation of how those Techniques were observed over time.

In the ATT&CK view, the Tactics are listed horizontally along the top of the chart, with the Techniques listed vertically below the associated Tactic.

Event timeline actions

Mouseover - Shows the timestamps for the initial and most recent Events in the block, their severity, and the number of times the Event was observed during the timeframe
Click - Pulls out a quick-access tray containing links to the Policies and hosts associated with the Alarm as well as MITRE ATT&CK information (tactic, technique, and sub-technique) for the Event(s)

Event category list actions

Mouseover - Shows basic MITRE ATT&CK information (tactics, techniques, and sub-techniques) for the Event(s) as well as the number of times the Event was observed
Click - Filters all Alarm Monitor views to show only information for the selected Event block

Hint

Event blocks in both the timeline and the category lists are color-coded based on their severity.